diff --git a/README.md b/README.md index 39161e6..cc3add4 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,19 @@ # My Nix config -To install, simply run `nixos-rebuild switch --flake .` and -`home-manager switch --flake .`... just kidding, this config relies on a -bunch of secrets that I'm too lazy to make defaults for (such as initial -root password for impermanence), so you won't be able to run it as-is. - Home-manager config and modules are in `./home`, NixOS config and modules are in `./system`. + +Secrets are fetched using a nix plugin at evaluation time to avoid using +`--impure`. I plan to implement a more robust secrets system later +though. + +To install, simply run `nixos-rebuild switch --flake . --option +extra-builtins-file $(pwd)/extra-builtins.nix` and +`home-manager switch --flake . --option extra-builtins-file +$(pwd)/extra-builtins.nix`, since this repo relies on build-time +decryption of secrets using a Nix plugin (to be fair you won't be able +to use it since you don't have the secrets, such as initial root +password). If you don't have `nix-plugins` though, you can put the +secrets in plaintext to `/etc/nixos/private` and add `--impure` flag to +bootstrap the config. + diff --git a/extra-builtins.nix b/extra-builtins.nix new file mode 100644 index 0000000..c58f9c2 --- /dev/null +++ b/extra-builtins.nix @@ -0,0 +1,19 @@ +{ exec, ... }: { + # I might get a somewhat better solution later, "enjoy" this for now + secrets = let + archive = exec [ + "sh" "-c" + "echo '\"' && (cd /etc/nixos/private && tar czv . 2>/dev/null | base64 -w0) && echo '\"'" + ]; + in pkgs: import (pkgs.stdenvNoCC.mkDerivation { + name = "private"; + unpackPhase = "true"; + buildPhase = "true"; + installPhase = '' + mkdir -p $out + cd $out + echo "${archive}" | base64 -d | tar xzv + ''; + url = builtins.toFile "private.tar.gz" archive; + }); +} diff --git a/flake.nix b/flake.nix index 6682df6..b3ab2cd 100644 --- a/flake.nix +++ b/flake.nix @@ -32,18 +32,21 @@ outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }: let # IRL-related stuff I'd rather not put into git - priv = + priv = pkgs: if builtins.pathExists ./private.nix then (import ./private.nix) else if builtins.pathExists ./private/default.nix then (import ./private) - else { }; + # workaround for git flakes not having access to non-checked out files + else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs + # yes, this is impure, this is a last ditch effort at getting access to secrets + else import /etc/nixos/private; # if x has key s, get it. Otherwise return def getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def; # All private config for hostname - getPriv = hostname: getOr { } hostname priv; + getPriv = pkgs: hostname: getOr { } hostname (priv pkgs); # Private NixOS config for hostname - getPrivSys = hostname: getOr { } "system" (getPriv hostname); + getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname); # Private home-manager config for hostname and username - getPrivUser = hostname: user: getOr { } user (getPriv hostname); + getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname); # extended lib lib = nixpkgs.lib // { quoteListenAddr = addr: @@ -113,9 +116,12 @@ ./system/modules/impermanence.nix ./system/modules/common.nix impermanence.nixosModule - (getPrivSys hostname) - { + (getPrivSys (import inputs.nixpkgs { inherit system; }) hostname) + ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay ]; + nix.extraOptions = '' + plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so + ''; nix.registry = builtins.mapAttrs @@ -130,7 +136,7 @@ }) (lib.filterAttrs (_: v: builtins.pathExists "${v}/default.nix") inputs); nix.nixPath = [ "/etc/nix/inputs" ]; - } + }) ] ++ (lib.optionals (home != {} && (getOr true "enableNixosModule" (getOr {} "common" home))) [ # only use NixOS HM module if same nixpkgs as system nixpkgs is used for user # why? because it seems that HM lacks the option to override pkgs, only change nixpkgs.* settings @@ -147,10 +153,14 @@ nixpkgs = getOr { } "nixpkgs" (getOr { } "common" home); nix = getOr { } "nix" (getOr { } "common" home); } - ({ pkgs, ...}: { + ({ config, pkgs, lib, ...}: { nixpkgs.overlays = [ overlay ]; + nix.package = lib.mkDefault pkgs.nixFlakes; + nix.extraOptions = '' + plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so + ''; }) - (getPrivUser hostname username) + (getPrivUser (import nixpkgs { inherit system; }) hostname username) ]; }) (builtins.removeAttrs home [ "common" ]); } @@ -170,8 +180,9 @@ (lib.mapAttrsToList (hostname: sysConfig: let + system = if sysConfig?system then sysConfig.system else "x86_64-linux"; common = builtins.removeAttrs (getOr { } "common" sysConfig.home) [ "nixpkgs" "enableNixosModule" ]; - pkgs = getOr (mkPkgs { system = if sysConfig?system then sysConfig.system else "x86_64-linux"; }) "pkgs" common; + pkgs = getOr (mkPkgs { inherit system; }) "pkgs" common; common' = common // { inherit pkgs; }; in lib.mapAttrsToList @@ -179,10 +190,13 @@ (user: homeConfig: { "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // { modules = homeConfig ++ [ - (getPrivUser hostname user) - ({ pkgs, ... }: { + (getPrivUser (import nixpkgs { inherit system; }) hostname user) + ({ config, pkgs, lib, ... }: { nixpkgs.overlays = [ overlay ]; - nix.package = pkgs.nixFlakes; + nix.package = lib.mkDefault pkgs.nixFlakes; + nix.extraOptions = '' + plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so + ''; }) ]; }); diff --git a/postpush.sh b/postpush.sh deleted file mode 100755 index 16a547f..0000000 --- a/postpush.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env bash -mv .git .git.bak diff --git a/prepush.sh b/prepush.sh deleted file mode 100755 index b49b902..0000000 --- a/prepush.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env bash -mv .git.bak .git diff --git a/push.sh b/push.sh index 9f478d9..3598682 100755 --- a/push.sh +++ b/push.sh @@ -1,4 +1,3 @@ #!/usr/bin/env bash git push git push github master -./postpush.sh diff --git a/update.sh b/update.sh index 2905d12..4efc1f7 100755 --- a/update.sh +++ b/update.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash cp ~/.config/nixpkgs/overlays.nix ./overlays.nix || (mkdir -p ~/.config/nixpkgs && cp ./overlays.nix ~/.config/nixpkgs) -nix flake update nvfetcher \ -o ./pkgs/_sources \ -c ./pkgs/nvfetcher.toml || echo "failed to update nvfetcher sources" mozilla-addons-to-nix \ ./pkgs/firefox-addons/addons.json \ ./pkgs/firefox-addons/generated.nix || echo "failed to update firefox addons" +nix flake update if [ -z ${SUDO_ASKPASS+x} ]; then - sudo nixos-rebuild switch --flake . + sudo nixos-rebuild switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix" else - sudo -A nixos-rebuild switch --flake . + sudo -A nixos-rebuild switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix" fi -home-manager switch --flake . +home-manager switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix"